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Abstract 

Many quantum algorithms, including Shor's celebrated factoring and discrete log algorithms, proceed 
by reduction to a hidden subgroup problem, in which an unknown subgroup H of a group G must be 
determined from a quantum state ip over G that is uniformly supported on a left coset of H . These 
hidden subgroup problems are typically solved by Fourier sampling: the quantum Fourier transform of 
tp is computed and measured. When the underlying group is nonabelian, two important variants of the 
Fourier sampling paradigm have been identified: the weak Standard method, where only representation 
names are measured, and the strong Standard method, where full measurement (i.e., the row and column 
of the representation, in a suitably chosen basis, as well as its name) occurs. It has remained open 
whether the strong Standard method is indeed stronger, that is, whether there are hidden subgroups that 
can be reconstructed via the strong method but not by the weak, or any other known, method. 

In this article, we settle this question in the amrmative. We show that hidden subgroups H of 
the g-hedral groups, i.e., semidirect products Z, x Z p where q \ (p — 1), and in particular the afnne 
groups A p , can be information-theoretically reconstructed using the strong Standard method. Moreover, 
if \H\ = p/polylog(p), these subgroups can be fully reconstructed with a polynomial amount of quantum 
and classical computation. 

We compare our algorithms to two weaker methods that have been discussed in the literature — the 
"forgetful" abelian method, and measuring in a random basis — and show that both of these are weaker 
than the strong Standard method with a chosen basis. Thus, at least for some famílies of groups, it is 
crucial to use the full power of representation theory and nonabelian Fourier analysis: namely, to measure 
the high-dimensional representations in an adapted basis that respects the group's subgroup structure. 

We apply our algorithm for the hidden subgroup problem to new families of cryptographically mo- 
tivated hidden shift problems, generalizing work of van Dam, Hallgren and Ip on shifts of multiplicative 
characters. Finally, we close by proving a simple closure property for the class of groups over which the 
hidden subgroup problem can be solved emciently. 



1 The Hidden Subgroup Problem 

One of the principal quantum algorithmic paradigms is the use of the abelian Fourier transform to discover 
a function's hidden periodicitics. In the examples relevant to quantum computing, an oracle function / 
defined on an abelian group G has "hidden periodicity" if there is a "hidden" subgroup H of G so that / 
is precisely invariant under translation by H or, cquivalently, / is constant on the cosets of H and takes 
distinct vàlues on distinct cosets. The hidden subgroup problem is the problem of determining the subgroup 
H from such a function. Algorithms for these problems typically adopt the approach detailed bclow, callcd 
Fourier sampling [2]: 
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Step 1. Prepare two registers, the first in a uniform supcrposition over the elements of a group G and the 
second with the value zero, yielding the state 



V IM geG 



Step 2. Calculate (or if it is an oracle, query) the function / defincd on G and XOR it with the second 
register. This entangles the two registers and results in the state 

i> 2 = E \g) ® \f{g)) ■ 

V l G l g eG 

Step 3. Measure the second register. This produces a uniform supcrposition over one of fs level sets, i.e., 
the set of group elements g for which f{g) takes the measured value f. As the level sets of / are the 
cosets of H, this puts the first register in a uniform distribution over supcrpositions on one of those 
cosets, namcly cH where f(c) = f for somc f. Moreovcr, it disentangles the two registers, resulting 
in the state ip3 ® l/o) where 

^3 = -J= \cH) = E \ ch ) ■ 



Altcrnately, since the value f we observe has no bearing on the algorithm, we can use the formulation 
in which the environment, rather than the user, measures /. In that case, tracing over / yields a mixcd 
state with density matrix 



P^yJ E IV*> «*l = p£ \ CH ) ( CH \ 



i.e., a classical mixture consisting of one pure state 1(13 for each coset. Kuperberg refers to this as the 
coherent hidden subgroup problem [18]. 

Step 4. Carry out the quantum Fourier transform on tpz and measure the result. 

For examplc, in Simon's algorithm [26], the "ambient" group G over which the Fourier transform is 
performed is ZÍJ, / is an oracle with the promise that f(x) = f(x + y) for some y, and H = {0,y} is a 
subgroup of order 2. In Shor's factoring algorithm [25] G is the group Z* where n is the number we wish 
to factor, f(x) = r x mod n for a random r < n, and H is the subgroup of Z* of index order(r). (However, 
since |Z* | is unknown, Shor's algorithm actually performs the transform over Z g where q is polynomially 
bounded by n; see [25] or [10, 11].) 

These are all abelian instanecs of the hidden subgroup problem (HSP). Intcrcst in nonabelian versions of 
the HSP evolved from the relation to the clusivc Graph Automorphism problem: it would be sufficient to 
solve cfficicntly the HSP over the symmetric group S n in order to have an cfncient quantum algorithm for 
graph automorphism (see, e.g., Jozsa [16] for a review). This was the Ímpetus behind the development of 
the first nonabelian quantum Fourier transform [1] and is, in part, the reason that the nonabelian HSP has 
remained such an active area of research in quantum algorithms. 

In general, we will say that the HSP for a family of groups G has a Fourier sampling algorithm if a 
procedure similar to that outlined above works. Specifically, the algorithm prepares a superposition of the 
form 

Vl^l heH 

over a random coset cH of the hidden subgroup H, computes the (quantum) Fourier transform of this 
state, and measures the result. After a polynomial number of such trials, a polynomial amount of classical 
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computation, and, perhaps, a polynomial number of classical queries to the function h to confirm the result, 
the algorithm produces a set of generators for the subgroup H with high probability. 

Whcn G is abelian, measuring a state's Fourier transform has a clear meaning: one observes the frcquency 
X with probability equal to the squared magnitude of the transform at that frequency. In the case whcrc 
G is a nonabelian group, however, it is necessary to select bases for each represcntation of G to pcrform 
full measurement. (We explain this in more detail below.) The subject of this article is the relationship 
between this choice of basis and the information glcaned from the measurement: are some bases more useful 
for computation than others? 

Since we are typically interested in exponentially large groups, we will take the size of our input to be 
n = log \G\. Throughout, "polynomial" means polynomial in n, and thus polylogarithmic in \G\. 

1.1 Nonabelian Hidden Subgroup Problems 

Although a number of interesting rcsults have bcen obtained on the nonabelian HSP, the groups for which 
cfhcicnt solutions arc known remain wocfully fcw. On the positive side, Roetteler and Beth [22] give an 
algorithm for the wreath product Z* l 1*2- Ivanyos, Magniez, and Santha [15] extend this to the more 
general case of semidirect produets K x Z£ where K is of polynomial size, and also give an algorithm for 
groups whose commutator subgroup is of polynomial size. Friedl, Ivanyos, Magniez, Santha and Sen solve a 
problem they call Hidden Translation, and thus generalize this further to what they call "smoothly solvable" 
groups: these are solvable groups whose derived series is of constant length and whose abelian factors are 
each the direct product of an abelian group of bounded exponent and one of polynomial size [7]. (See also 
Section 8.) 

In another vein, Ettinger and H0yer [5] show that the HSP is solvable for the dihedral groups in an 
information-theoretic sense; namely, a polynomial number of quantum queries to the function oracle gives 
cnough information to reconstruct the subgroup, but the best known reconstruction algorithm takes expo- 
ncntial timc. More gcnerally, Ettinger, H0yer and Knill [6] show that for arbitrary groups the HSP can be 
solved information-theoretically with a finite number of quantum queries. However, thcir algorithm calls 
for a quantum measurement for each possible subgroup, and since there might be |G| n ' log of these, it 
requircs an exponential number of quantum operations. 

Our current understanding of the HSP, then, divides group families into three classes. 

I. Fully Reconstructible. Subgroups of a family of groups {Gi} arc fully reconstructible if the HSP can 

be solved with high probability by a quantum circuit of size polynomial in log |G;|. 

II. Information-Theoretically Reconstructible. Subgroups of a family of groups {Gi} are information- 

theoretically reconstructible if the solution to the HSP for Gi is determined information-theoretically 
by the fully measured result of a quantum circuit of size polynomial in log |Gi|. 

III. Quantum Information-Theoretically Reconstructible. Subgroups of a family of groups {Gi} are 

quantum information-theoretically reconstructible if the solution to the HSP for Gi is determined by 
the quantum state resulting from a quantum circuit of polynomial size in log|Gj|, in the sense that 
there exists a positive operator-valued measurement (POVM) that yields the subgroup H with constant 
probability, but where it may or may not be possible to carry out this POVM with a quantum circuit 
of polynomial size. 

In each case, the quantum circuit has oracle access to a function / : G — > S, for some set S, with the property 
that / is constant on each left coset of a subgroup H, and distinct on distinct cosets. 

In this language, then, subgroups of abelian groups are fully reconstructible, while the result of [6] 
shows that subgroups of arbitrary groups are quantum information-theoretically reconstructible. The other 
work cited above has labored to place specific families of nonabelian groups into the more algorithmically 
meaningful classes I and II. 
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1.2 Nonabelian Fourier transforms 



In this section we give a brief review of nonabelian Fourier analysis, but only to the extent needed to set 
down notation. We refer the reader to [24] for a more complete exposition. 

Fourier analysis over a finite abelian group A expresses a function <fr : A — > C as a linear combination of 
homomorphisms x '■ A — > C. If A = Z p , for example, these are the familiar basis functions Xt '■ z l— * u p z , 
whcrc uj p denotes the pth root of unity e 2m / p . Any function (f> : A — > C can be uniquely expressed as a linear 
combination of these xu an d this change of basis is the Fourier transform. 

Whcn G is a nonabelian group, however, this same procedure cannot work: in particular, there are not 
cnough homomorphisms of G into C to span the space of all C-valued functions on G. To define a sufficicnt 
basis, the representation theory of finite groups considers more general functions, namely homomorphisms 
from G into groups of unitary matrices. 

A representation of a finite group G is a homomorphism p : G — ► U(d), where U(d) denotes the group of 
unitary d X d matrices (with entries from C) ; the dimension d = d p \& referred to as the dimension of p. If 
p : G — ► U(d) is a representation, a subspace W of C d is said to be invariant if p{g)(W) C W for all g. A 
representation is said to be irreducible if the only invariant subspaces are the trivial subspace C d and {0}. 

For a function cj> : G — ► C and an irreducible representation p, 4>(p) denotes the Fourier transform of <p 
at p and is defined by 

V 1 1 g 

Note that <f> takes vàlues in C while p is matrix-valued. It is a fact that a finite group has a finite number of 
distinct irreducible representations (up to isomorphism), and the Fourier transform of a function <fi : G — > C 
is the collection of matrices <j)(p), taken over all distinct irreducible representations p. 

Fixing a group G and a subgroup H, wc shall focus primarily on the functions ip c '■ G — > C of form 



if g € cH, 

\H\ 3 

othcrwisc, 



corresponding to the first register of the state ip3 resulting from Step 3 above, which is a uniform superposition 
over the coset cH. The Fourier transform of such a function is thcn 



^=Vi^í p(c) "S pW ■ 

Note, as above, that ^Pc{p) is a d p x d p matrix. 

For any subgroup H, the sum ~}2, h p{h) is precisely \H\ times a projection operator (see, e.g., [13]); we 
write 

Y J P(h) = \H\n H {p) . 

h 

With this notation, we can express tp2(p) as ^/n^p(c) ■ tth(p) where n p = d p \H\/\G\. For a d x d matrix M, 
we let ||M|| denote the matrix norm given by 

||M|| 2 =tr(MtM)=Ç|M ií ·| 2 , 

where M* denotes the conjugate transpose of M. Then the probability that we observe the representation 
p is 

2 1 1 1 1 2 

\\<Pc(p)\\ =\\^/n~ p p{c)iTH{p)\\ 

= n p hl·l{p)\\ 2 
= n p rkn H (p) , 

where rk tth(p) denotes the rank of the projection operator tth(p). See [13] for more discussion. 
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1.3 Weak vs. strong sampling and the choice of basis 

Hallgren, Russell, and Ta-Shma [13] show that by measuring only the names of representations — the so- 
called weak standard method in the terminology of [9] — it is possible to reconstruct normal subgroups (and 
thus solve the HSP for Hamiltonian groups, all of whose subgroups are normal) . More generally, this method 
reconstructs the normal core of a subgroup, i.e., the intersection of all its conjugates. On the other hand, 
they show that this is insufhcient to solve Graph Automorphism, since even in an information-theoretic sense 
this method cannot distinguish between the trivial subgroup of S n and subgroups of order 2 consisting of 
the identity and an involution. 

Therefore, in order to solve the HSP for nonabelian groups, we need to measure not just the name of the 
representation we are in, but also the row and column. In order for this measurement to be wcll-dcfmcd, we 
need to choose a basis for U(d p ) for each p. Grigni, Schulman, Vazirani and Vazirani [9] call this the strong 
standard method. They show that if we measure using a uniformly random basis, then trivial and non-trivial 
subgroups are still information-theoretically indistinguishable. However, they leavc opcn the question of 
whether the strong standard method with a clever choice of basis, rather than a random one, allows us to 
solve the HSP in nonabelian groups, yielding an algorithm for Graph Automorphism. 

Indeed, in representation theory certain bases are "preferred" , and have very special computational 
properties, because they give the matrices p(g) a highly structured or sparse form. In particular, Moore, 
Rockmore and Russell [19] showed that so-called adapted bases yield highly efficient algorithms for the 
quantum Fourier transform. 

1.4 Contributions of this paper 

As stated above, [13] and [9] leave an important open question: namcly, whether there are cases where the 
strong standard method, with the proper choice of basis, offers an advantage over a simple abelian transform 
or the weak standard method. We settle this question in the affirmative. Our results deal primarily with the 
q-hedral groups, i.e., semidirect produets of the form Z g k 7L p where q | ( p — 1), and in particular the affine 
groups A p = Z* k Zp. 

We begin in Section 3 by focusing on full reconstructibility. We define the Hidden Conjugate Problem 
(HCP) as follows: given a group G, a non-normal subgroup H, and a function which is promised to be 
constant on the cosets of some conjugate bHb^ 1 of H (and distinct on distinct cosets), determine the subgroup 
bHb~ l by finding an clement c E G so that cHc^ 1 = bHb^ 1 . We adopt the above classification (fully, 
information-theoretically, quantum information- thcoretically) for this problem in the natural way. Then we 
show that given a subgroup of sufficiently small (but still exponentially large) index, hidden conjugates in A p 
are fully reconstructible (Theorem 1). This almost immediately implies that, for prime q = (p— l)/polylog(p), 
subgroups of the q-hedral groups Z g k Z p are fully reconstructible (Theorem 2). 

Section 4 concerns itself with information-theoretic reconstructibility. We generalize the results of Et- 
tinger and H0yer on the dihedral group and show that hidden conjugates of any subgroup are information- 
theoretically reconstructible in the affine groups, and more generally the q- hedral groups for all q (Theo- 
rem 3). We then show that we can identify the order, and thus the conjugacy class, of a hidden subgroup, and 
this implies that all subgroups of the affine and q-hedral groups are information- thcoretically reconstructible 
(Theorem 5). 

The results of Sections 3 and 4 rely crucially on measuring the high-dimensional representations of 
the affine and g-hedral groups in a well-chosen basis, namcly an adapted basis that respeets the group's 
subgroup structure. We show in Section 5 that we lose information-theoretic reconstructibility if we measure 
using a random basis instead. Specifically, we need an exponential number of measurements to distinguish 
conjugates of small subgroups of A p . This establishes for the first time that the strong standard method is 
indeed stronger than measuring in a random basis: some bases provide much more information about the 
hidden subgroup than others. 

For some nonabelian groups, the HSP can be solved with a "forgetful" approach, where we erase the 
group's nonabelian structure and perform an abelian Fourier transform instead. In Section 6 we show that 
this is not the case for the affine groups: specifically, if we treat A p as a direct product rather than a 
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scmidirect one, its conjugate subgroups become indistinguishable. 

As an application, in Section 7 we consider hidden shift problcms. In the setting we consider, one 
must reconstruct a "hidden shift" s G Z p from an oracle f s (x) = f(x — s), where / is any function that 
is constant on the (multiplicative) cosets of a known multiplicative subgroup of Z*. These functions have 
been studied in some depth for their pseudorandom properties, and several instances have been suggested as 
cryptographically strong pseudorandom generators. By associating f s with its isotropy subgroup, and using 
our reconstruction algorithm to find that subgroup, we give an efficient quantum algorithm for the hidden 
shift problem in the case where f(x) is a function of x's multiplicative order mod r for some r = polylog(p). 
This generalizes the work of van Dam, Hallgren, and Ip [3], who give an algorithm for hidden shift problcms 
in the case where / is preciscly a multiplicative character. 

Finally, in Section 8 we show that the set of groups for which the HSP can be solved in polynomial time 
has the following closure property: if TL = {H n } is a family of groups for which we can efhciently solve the 
HSP and K, = {K n } is a family of groups for which \K n \ = polylog|ií n |, we can also efhciently solve the 
HSP for the family {G„}, where each G n is any extension of K n by H n . This subsumes the results of [13] 
on Hamiltonian groups, and also those of [15] on groups with commutator subgroups of polynomial size. 



2 The affine and g-hedral groups 

Lct A p be the affine group, consisting of ordered pairs (a, 6) G Z* x Z p , where p is primc, under the 
multiplication rulc (ai,6i) ■ (02,62) = (0102,61 + 0162). A p can be viewed as the set of afhnc functions 
f(a.b) '■ ~~ * given by /( a m : x 1— > ax + 6 where multiplication in A p is given by function composition. 
Structurally, A p is a scmidirect product Z* x Z p = Z p _i k Z p . Its subgroups are as follows: 

• Let N = Zp be the normal subgroup of size p consisting of elements of the form (1,6). 

• Lct H = Z* = Z p _i be the non- normal subgroup of size p — 1 consisting of the elements of the form 
(a, 0). Its conjugates H h = (1, b) ■ H ■ (1, —6) consist of clements of the form (a, (1 — a)6). In the action 
on Z p , H b is the stabilizer of 6. 

• More generally, if a G Z* has order q, lct N q = 1 q k Z p be the normal subgroup consisting of all 
elements of the form (a 4 , 6), and let H a be the non-normal subgroup H a = ((a, 0)) of size q. Thcn H a 
consists of the elements of the form (a*, 0) and its conjugates H h a = (1, 6) ■ H a ■ (1, —6) consist of the 
elements of the form (a*, (1 — a f )b). 

Construction of the representations of A p requires that we fix a generator 7 of Z*. Dcfine log : Z* — > Z p _i 
to be the isomorphism log 7* = t. Let lj p denote the pth root of unity e 27Tl / p . Then A p has p — 1 one- 
dimcnsional representations a s , which are simply the representations of Z* = Z p _i, given by a t ((a,b)) = 
uj tl °f a . Moreover, it has one (p — 1)- dimensional representation p given by 



k = aj mod p 



w P((aM), k = { ? othc ;; is ;^ ,i<í,*<p, 

where the indices i and j are elements of Z*. See [24, §8.2] for a more detailed discussion. 

Similarly, given prime p and q \ p—1, we consider the q-hedral groups, namely scmidirect produets Z ? k Z p . 
These embed in A p a natural way: namely, as the normal subgroups N q defined above. The dihedral groups 
are the special case where q = 2. 

The representations of Z g x Z p inelude the q one-dimensional representations of Z ç given by cr^((a , 6)) = 
uiq* for £ G Z ç , and (p — l)/q distinct g-dimensional representations pk given by 



Pk((a u ,b)) s>t = 



ojp a b t = s + u mod q 
othcrwise 



for each < s, t < q. Hcrc k ranges over the elements of Z*/Z ç , or, to put it differently, k takes vàlues in Z* 
but pk and py are equivalent if k and k' are in the same coset of (a) . 
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The representations of the affine and g-hedral groups are related as follows. The restriction of the (p — 1)- 
dimensional representation p of A p to N q is reducible, and is isomorphic to the direct product of the pk- 
Moreover, if we measurc p in a Gel'fand-Tsetlin basis such as (1) which is adapted to the tower of subgroups 

A p > N q > Z p > {1} , 

then p becomcs block-diagonal, with (p—l)/q blocks of size q, and these blocks are exactly the representations 
pk of N q . (See [19] for an introduction to adapted bases and their uses in quantum computation.) We will 
use this fact in Sections 4 and 5 below. 

The afhnc and g-hcdral groups are metacyclic groups, i.c, extensions of a cyclic group Z p by a cyclic 
group 7L q . In [14], H0yer shows how to pcrform the nonabelian Fouricr transform over such groups (up to 
an overall phase factor) with a polynomial, i.e., polylog(p), number of elemcntary quantum opcrations. 



3 Full reconstructibility 

In this section we show that conjugates of sufficicntly large subgroups of the affine groups are fully recon- 
structible in polynomial time. For some vàlues of p and q, this allows us to completely solve the Hidden 
Subgroup Problem for the g-hedral group Z g K Z p . 

Theorem 1. Let p be prime and let a £ Z* have order q = (p — l)/polylog(p). Then the hidden conjugates 
of H a in A p are fully reconstructible. 

Proof. Consider first the maximal non-normal subgroup H = H 1 (wherc 7 is a generator of Z*). Carrying 
out steps 1 through 3 of the Fourier sampling procedure outlined in the introduction rcsults in a state ip3 
over the group G which is uniformly supportcd on a random left coset of the conjugate H h = bHb^ 1 . Using 
the procedure of [14], we now compute the quantum Fourier transform of this state over A p , in the basis (1). 
The associated projcction operator is 



W H b (p) 



1 



p-í 



Mj-k) 



for 1 < j, k < p. This is a circulant matrix of rank one. More spccifically, every column is some root of unity 
times the vector 



(u b )j = 



1 



P 



1 ^ 3 < P- This is also true of p(c) ■ TT H b(p); since p(c) has one nonzero entry per column, left multiplying 
by p(c) simply multiplies cach column of ir H b (p) by a phasc. Note that in this case 

n p = d p \H\/\G\ = (p - l)/p = 1 - í/p , 

so that upon mcasurcment the (p— l)-dimensional representation p is observed with ovcrwhclming probability 
1 - 1/p. 

Assuming that we observe p, we pcrform another change of basis: namely, we Fourier transform each 
column by left-multiplying p(cH) by Qi.j — (1/y/p — 1) In terms of quantum operations, we are 

applying the quantum Fourier transform over Z p _i to the row register, while leaving the column register 
unchanged. We can now infer b by measuring the frequency l. Spccifically, we observe a given value of £ 
with probability 



(2) 



wherc 



P(£) 



3=1 



bj -tí 
U p 3 U p -l 



(p-iy 



p-í 



1 sin 2 ^-!)^ 



sin 2 9 



p-í 
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Now note that for any b there is an l such that |0| < n/ (2{p — 1)). Sincc 

(2x/tt) 2 < sm 2 x < x 2 

for \x\ < n/2, this gives P(£) > (2/tt) 2 . 

Recali that the probability that we observed the (p — l)-dimensional representation p in the first place is 
n p = 1 — í/p. Thus if we measure p, the column, and then i and then guess that b minimizes \6\, we will be 
right of the time. This can be boosted to high probability, i.e., 1 — o(l), by repeating the experiment 
a polynomial number of times. 

Consider now the more general case, when the hidden subgroup is a conjugate of the subgroup H a where 
a's order q is a proper divisor of p — 1. Recali that a givcn conjugate of H a consists of the elements of the 
form (a*, (1 — a')o). Then we have 



n m (p)j,k = 



1 



uip k ^ k — a*j for some t 
otherwise 



for 1 < j, k < p. In other words, the nonzero entries are those for which j and k lie in the same coset of 
(a) C Z*. The rank of this projection operator is thus the number of cosets, which is the index (p — l)/ç of 
(o) in Z*. Since n p is now q/p, we again observe p with probability 

n p rk TT Ha (p) = (p- l)/p = 1 - í/p ■ 

Following the same procedure as before, we carry out a partial mcasurement on the columns of p, and 
then Fouricr transform the rows. After changing the variable of summation from t to — t and adding a phasc 
shift of e -i6, ( p-1 ' inside the | ■ | 2 , the probability we observe a frequeney l, assuming we find ourselves in the 
fcth column, is 



P{t) = 



(3) 



1 



9-1 



Vi(p- 1 ) t=0 

9-1 



6(a*/c mod p) -^(a*fc mod p) 
w p-l 



q(p - 1) 



y~^ e 2ie(a t fc 
t=o 



3d p) 



Now note that the terms in the sum are of the form e 1 ^ where (assuming w.l.o.g. that is positivc) 

^[-8(p-l),í(p-l)] . 

If we again take £ so that |0| < ir/(2(p — 1)), then <f> E [—ir/2,ir/2] and all the terms in the sum have 
nonnegative real parts. We will obtain a lower bound on the real part of the sum by showing that a constant 
fraction of the terms have (j> G (— 7r/3, 7r/3), and thus have real part more than 1/2. This is the case whenever 
a k G (p/6, 5p/6), so it is sufficient to prové the following lemma: 

Lemma 1. Let a have order q = p/polylog(p) in Z* ; p a prime. Then at least (1/3 — o(í))q of the elements 
in the coset (a)k are in the interval (p/6,5p/6). 



Proof. We will prové this using Gauss sums, which quantify the interplay between the characters of Z p 
and the characters of Z*. In particular, Gauss sums establish bounds on the distribution of powers of a. 
Spccifically, if a has order q in Z* then for any integer k ^ mod p we have 

t=0 

(See [17] and Appendix A.) 
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Now suppose s of the elements x in (a)k are in the set (p/6, 5p/6), for which ReWp > —1, and the other 
q — s elements are in [0,p/6] U [5p/6,p), for which Keuj p > 1/2. Thus we have 

9-1 

Re$> p a ' fc > (ç/2) - (3a/2). 
t=o 

If s < (1/3 — e)q for any e > this is Q(q), a contradiction. □ 

Now that we know that a fraction 1/3 — e of the terms in (3) have real part at least 1/2 and the othcrs 
have real part at least 0, we can take e = 1/12 (say) and write 

P(l)> ''^ 2 1 q 



q(p-l)\8J 64p-l polylog(p) 

Thus we observe the correct frequency with at least polynomially small probability; again this can be boosted 
to high probability by repetition. □ 

Theorem 1 implies that we can completely solve the Hidden Subgroup Problem for certain o-hedral 
groups. 

Theorem 2. Let p and q be prime with q = (p— l)/polylog(p). Then subgroups of the q-hedral group Z g k Z p 
are fully reconstructible. 

Proof. First, note that we can fully reconstruct H if it is non-trivial and normal. We do this by reconstructing 
the normal core of H, 

C(H) = p| 7ÍÍ7- 1 

using the techniqucs of [13] (the weak Standard method). The ç-hcdral groups have the special propcrty 
that no non-normal subgroup contains a non-trivial normal subgroup; then B is normal; in particular, if H 
is non-normal, then C(H) is the trivial subgroup. Thus by reconstructing C(H), we either learn H = C(H) 
or learn that H is either trivial or non-normal. Furthermore, if H is trivial we will learn this by checking 
our reconstruction against the oracle / and finding that it is incorrect. Therefore, it sufnces to consider the 
non-normal subgroups. 

If q is prime, then the non-normal subgroups of Z g k Z p are all conjugate to a single subgroup K = Z g , 
so the hidden subgroup problem reduces to the hidden conjugate problem for K. While one can construct 
a proof similar to that of Theorem 1 directly for the g-hedral groups, it is convenient to embed them in A p 
using the isomorphisms N q = "L q k Z p and H a = K and appeal to Theorem 1. 

Now suppose we have an oracle / : Z 9 x Z p — > S. We extend this to an oracle /' on A p as follows. Choosc 
a gener ator 7 G Z* and one of the q — 1 elements a € Z* of order q, and let 

f'-.Ap^Sx (a) 

where 



/'((<*,&))=(/(( 



Ioga 
(P-1)/<Z- 



,6 



recalling that log7* = t. The sccond component of /' serves to distinguish the cosets of N q from each other, 
while the first component maps each coset of N q to Z g k Z p with the clement of 7L q written additivcly, rather 
than multiplicatively. (This last step is not strictly necessary — after all, we could have written the elements 
of A p in additive form in the first place — but it can be carried out with Shor's algorithm for the discrete 
logarithm [25].) This reduces the HCP for K (and therefore the HSP) on 1 q x Z p to the HCP for H a on A p , 
completing the proof. □ 

As an example of Theorem 2, if q is a Sophie Germain prime, i.e., one for which p = 2q + 1 is also a 
prime, we can completely solve the HSP for Z g x Z p . 



9 



4 Informat ion-theoretic reconstructibility 



In this section, we show that all subgroups of the affine and q-hcdral groups, regardlcss of thcir size, arc 
information-theoretically reconstructiblc. We start by considering the hidden conjugate problem for sub- 
groups H a = ((a, 0)) in A p . Then in Theorem 5 we show that we can identify the conjugacy class of a hidden 
subgroup, and therefore the subgroup itself. This gcncralizes the results of Ettinger and H0yer [5] who show 
information-theoretic reconstructibility for the dihedral groups, i.e., the case q = 2. 

Theorem 3. Let p be prime and let a be any element ofZ*. Then the hidden conjugates of H a in A p are 
information-theoretically reconstructible. 

Proof. Suppose a has order q. Recali that H a and its conjugates H h a are maximal in the subgroup N q = 
7L q x Z p . We wish to show that there is a measurement whose outeomes, given two distinct vàlues of b, 
have large, i.e., l/polylog(p) , total variation distanec. First, we perform a series of partial measurements as 
follows. 

(i.) Measure the name of the representation of A p . If this is not p try again. Otherwise, continue; 
(ii.) Measure the name of the representation of N q inside p; 
(iii.) Measure the column of pk] and 

(iv.) Perform a POVM with q outeomes, in each of which s is u or u + 1 mod q for some hgZ ? . 

As in Theorem 1, we measure the (p — l)-dimcnsional representation of A p in a chosen basis. Recali that 
in the adapted basis (1) the restriction of p to N q is block diagonal, where the (p — l)/q blocks are the 
g-dimensional representations pu of N q . Therefore, the projection operator ir H b{p) is block-diagonal, and 
each of its blocks is one of the projection operators 7r Jï b(p fc ). Summing p k over H h a = {(a*, (1 — a')ò)} gives 

for < s,í < q. This is a matrix of rank 1, where each column (even aftcr left multiplication by pk{c)) is 
some root of unity times the vector {uk) s = (l/<?) w p Q b - Since n p = q/p, the probability that we observe 
a particular pk is q/p. Since ir H b(p) has (p — í)/q blocks of this kind, it has rank (p — l)/q, and the total 
probability that we observe p is {p — l)/p = 1 — 1/p as before. 

Then these four partial measurements determine fc, remove the effect of the coset, and determine that s 
has one of two vàlues, tioru+1. Up to an ovcrall phase we can write this as a two-dimensional vector 

. ,ka u b 



V2 ( 4 a ^ +lb 



We now apply the Hadamard transform 



J_ 1 1 

and measure s. The probability we observe that s = u or u + 1 is then cos 2 9 and sin 2 9 respectively, where 
9 = (ka a (a — l)bn)/p. Now when we observe a g-dimensional representation, the k we observe is uniformly 
distributed over Z*/Z 9 , and when we perform the POVM, the u we observe is uniformly distributed over 
7L q . It follows that the coefficient m = ka u (u — 1) is uniformly distributed over Z*. For any two distinct ò, 
ò', the total variation distance is then 

1 ■r-^ / 9 nmb 9 irmb' 9 irmb 9 ixmb' 

— > cos cos + sm sm 

2(p- 1) ±-í, V P V V P 



10 



This we rewrite 



—i 51 



wmb' 



cos 



> 



2(p- 


1) 


1 




4(p- 


1) 


í> 




4(p- 


1) 



i 

> - 



2irmb 2-Kmb' 
cos cos 



2-Kmb 2ixmb' 
cos cos 



(Adding the m = term contributes zero to the sum in the second line. In the third line we use the facts 
that \x\ < x 2 /2 for all |a;| < 2, the average of cos 2 x is 1/2, and the two cosines have zero inner product.) 

Since the total variation distance between any two distinct conjugates is bounded below by a constant, 
we can distinguish between the p different conjugates with only O(logp) = poly(n) samples. Thus, hiddcn 
conjugates in A p are information- theoretically reconstructible, completing the proof. □ 

By embedding the g-hcdral groups in A p as in Theorem 2, we can generalize Theorem 3 to the g-hcdral 
groups (note that we do not require herc that q is prime): 

Theorem 4. Let p be prime and q a divisor of p — 1. The subgroups of the q-hedral groups Z ç k Z p are 
information-theoretically reconstructible. 

We now wish to information-theoretically reconstruct all subgroups of the affine and g-hedral groups. We 
can do this by first reconstructing which conjugacy class they lie in, and then applying Theorems 3 and 4. 



Theorem 5. Let p be prime and q a divisor of p 

leoretically reconstructible. 
information-theoretically reconstructible. 



1. The subgroups of the q-hedral groups 1 q k Z p are 
information-theoretically reconstructible. In particular, the subgroups of the affi ne groups Ap — Z p k Z p are 



Proof. As in Theorem 2, wc can (fully) reconstruct the normal subgroups of ï q K Z p , so it suffices to consider 
non-normal subgroups H . Recali that in this case, H is eyelic and \H\ is equal to the order of et, where 
H = ((a, b)). Since there is a unique conjugacy class of subgroups of each order, it suffices to determine \H\, 
at which point the subgroup H can be determined by Theorem 4. 

Let the oracle be / : 7L q K 7L V — > 5, and let p^ 1 . . .p^ k be the prime factorization of q, in which case 
k < J2i a i = O(logç). For each i e {1, . . . , k} and each a G {0, . . . , ai}, we will determine if pf \ \H\, and 
taking the largest such a for each i gives the prime factorization of \H\. 



Z q x Z p 



Z. 



i/ vi 



be the homomorphism given by 



To do this, for each i € [k] and 1 < a < ai, let T" 

: (a, 6) ^ 

Thcn let 

Af* = kerT? = { 7 G Z, x Z p 

where 1 denotes the identity element of Z ç k Z p . is the subgroup of Z g X Z p consisting of all elements 
whose orders are a múltiple of pf . Consider now the function 



= 1} 



Z 9 k Z p 



q/p" 



given by 

/'(7) = (/(7).Tf( 7 )) • 

Observe that /' is constant (and distinct) on the left cosets of H fi Af and, furthermore, the subgroup 
H n has order p Q if and only if p a divides the order of a. We may then determine if H n Af has order 



11 



p a by assuming that it does, reconstructing H with Theorem 4 using /' as the oracle, and checking the 
result against the original oracle /. This allows us to determine the prime factorization of \H\ as desired. 
Thcrcfore, all subgroups of the g-hedral groups ï q k Z p are information-thcoretically reconstructible. □ 

As in the dihcdral case [5], we know of no polynomial-time algorithm which can reconstruct the most 
likely b from these queries. However, Kuperberg [18] gives a quantum algorithm for the HSP in the dihedral 
group, and more generally the hidden shift problem, that runs in subexponential (e°( log ' p )) time. Since 
we can reduce the HSP on Z g ix Z p to a hidden shift problem by focusing on two cosets of Z p , this algorithm 
applies to the g-hedral groups as well. 



5 Random vs. adapted bases 

In Thcorems 3 and 5, we measured the high- dimensional representation p in a specific basis which is adapted 
to the subgroup structure of A p and the g-hedral groups. In contrast, we show in this section that if we 
measure p in a random basis instead, then for all but the largest vàlues of q we need an exponential number 
of measurements in order to information-theoretically distinguish conjugate subgroups from each other. 

Theorem 6. Let p be prime and let a £ Z* have order q where q < p l ~ e for some e > 0. Let Pb(v) be the 
probability that we observe a basis vector v in the Fourier basis if the hidden subgroup is H\. If we measure 
p in a random basis, then for any two b,b', with high probability the L\ distance between these probability 
distributions is exponentially small, i.e., there exists (3 > such that 



J2\Pb(v)-Pb-(v)\<p 



-0 



b' 



Thus it takes an exponentially large number of measurements to distinguish the conjugates l·L a and 

Proof. Since we observe the high-dimensional representation p with probability 1 — 1/p, it suffices to consider 
the L\ distance summed over the d p = p—1 basis vectors of p. In fact, we will show that Pb{v) is exponentially 
close to the uniform distribution for all b. 

Write 7r = ir H b (p). Then the probability we observe a given basis vector v, conditioned on observing p, is 

P b(v) = -T— k ' v\ 2 . 

rk 7r 

If v is uniformly random with norm 1, the expectation of \tt ■ v\ 2 is (rk ir)/d p , and so the expectation of 
Pb(v) is 1/dp. We will use the following lemma to show that when rk tt is sufficicntly large, Pb(v) is tightly 
concentrated around this expectation. 

Lemma 2. Let n be a projection operator of rank r in a d-dimensional space, and let v be a random 
d-dimensional vector of unit length. Then for all < 5 < 2, 



Pr 



i 2 r 
\w\ 2 -~ d 



>5 d 



< 



ic -rS 2 /48 



Proof. We use an argument similar to [9] . We can think of a random d- dimensional complex vector v as a 
random 2d-dimcnsional real vector of the same length, and we can think of this in turn as 



E2d 2 
i=i w i 



where the Wi are independent Gaussian variables with zero mean and unit variance. By choosing a basis in 
which 7r projeets onto the first r (complex) components of v, we have 

, u|2 r (l/2r)S»^ 



o 
U't 
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We now use the following Chcrnoff bound, which can be derived from the moment gencrating function. For 
any í, we have 



Pr 



1 



t 



1 



í=i 

2 



> e 



< 2 



(l + e) 1 /2 e -^ 



For |e| < 1/2, we have ln(l + e) < e — e /3 and this bccomes 



(4) 



Pr 



w - 1 



> e 



< 2e 



-te 2 /6 



Now, for any a,6, if \a/b— 1| > <5 where 5 < 2, then either |a— 1| > S/A or |6— 1| > <5/4. Taking the union 
bound over these events where a = (l/2r) J^iL·i w ï an d b = (l/2d) J2i=i w h setting e = S/i and t = 2r < 2d 
in (4) gives the stated bound. □ 



Setting d = d p and r = rk 7r, Lemma 2 and the union bound imply that, for any constant A > V48, if 



(5) 



<5 = A 



rk 7r 



then, with high probability, for all d p basis vectors v we have 



AM 



< 



Summing over all v, this implies that the L\ distance bctwcen Pb{v) and the uniform distribution is at most 
8. Now recali that rk 7r = (p — l)/q. If q < p 1 ~ c , then rk tt > p e , and (5) gives 6 < p~@ where f3 = e/3, say. 
Since Pb(v) is within S of the uniform distribution for all 6, doubling the constant A and using the triangle 
inequality completes the proof. □ 

Several remarks are in order. First, just as for the dihedral group, we can information-thcorctically 
distinguish conjugate subgroups if we use a random basis within each g-dimensional block. The problem 
is that rather than having this block-diagonal structure, a random basis cuts across these blocks, mixing 
diffcrent "freqüències" pu and canceling out the useful information. This is prccisely because it is not adapted 
to the subgroup structure of A p ; it doesn't "know" that p decomposes into a direct sum of the pk- 

Second, it is worth noting that for the vàlues of q for which we have an algorithm for full (as opposed to 
information-theoretic) reconstruction, namely q = p/polylog(p), a random basis works as well since the L\ 
distance 5 becomes l/polylog(p). Based on the strong evidence from representation theory that some bases 
are much better for computation than others, we conjecture that, for some families of groups, adapted bases 
allow full reconstruction while random bases do not; but this remains an open question. 

Third, while we focused above on distinguishing conjugate subgroups from each other, in fact our proof 
shows that if q < p l ~ e a random basis is incapablc of distinguishing H a from the trivial subgroup. In 
contrast, Thcorcms 3 and 5 show that an adapted basis allows us to do this. 



6 Failure of the abelian Fourier transform 

In [5] the abelian Fourier transform over I2 x Z p is used in a reconstruction algorithm for the dihedral groups. 
Using this sort of "forgctful" abelian Fourier analysis it is similarly information-theoretically possible to 
reconstruct subgroups of the g-hedral groups, when q is small enough. 

Howcver, it does not seem possible to reconstruct subgroups of A p using the abelian Fourier transform. 
In particular, we show in this section that if we think of the affine group as a direct product Z* x Z p rather 
than a semidirect product, then the conjugates of the maximal subgroup become indistinguishable. This 
is not surprising, since in an abelian group conjugates are identical by definition, but it helps illustrate 
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that nonabelian hidden subgroup problems require nonabelian approaches (most naturally, in our view, 
representation theory). 

Let us considcr thc hidden conjugatc problcm for the maximal subgroup H, i.e., H a where a is a generator 
of Z*. In that case, the characters of Z* x Z p are simply pfc ) f(a í ,6) = Lüp t _ l u)^' . Summing these over 
H a = {(a*, (1 — a*)ò} shows that wc observe the character (k,£) with probability 



P(k, 



1 



P(p- !) 2 
1 

P(P~ l) 2 



kt 1(1-0.* )b 



-l w p 



Ek lot 



This is the inner product of a multiplicativc character with an additive one, which is another Gauss sum. In 
particular, assuming b ^ 0, we have 

P(0,0) = l/p 
P(0,£^0) = \/{p{ P -l) 2 ) 
P(fc^0,0) = 
P(k^0,tjí0) = i/(p-i) 2 

(see Appendix A). Since these probabilities don't depend on b, the difïerent conjugates H\ with b ^ are 
indistinguishable from each other. Thus it appears essential to use the nonabelian Fourier transform and 
the high-dimensional representations of A p . 



7 Hidden shift problems 

Using the natural action of the affinc group on Z p , we can apply our algorithm for the hidden conjugatc 
problcm studied above to a natural family of hidden shift problems. Specihcally, lct M be a multiplicativc 
subgroup of Z* of index r > 1, let S be some set of r + 1 symbols, and let / : Z p — > S be a function for which 

f(x) — f(mx) m G M 

for every x G Z p . Observe that / is constant on thc (multiplicativc) cosets of M and takes distinct vàlues 
on distinct cosets; to put it differently, f(x) is an injective function of the multiplicative order of x mod r. 
Furthermore, /(0) ^ f(%) for any nonzero x. Thc hidden shift problcm associatcd with / is thc problem of 
determining an unknown element sgZ p given oracle access to the shiftcd function 

fs(x) = f(x - s) . 

Such functions have remarkable pseudorandom properties, and have been proposed as pseudorandom gener- 
ators for cryptographic purposes, where s acts as the seed to generate the sequence (e.g. [4]). 

The special case when / : Z p — > C is a Legendre symbol, that is, a multiplicative character of Z* extended 
to all of Z p by setting /(0) = 0, was studied by van Dam, Hallgren, and Ip [12]. They give efHcient quantum 
algorithms for these hidden shift problems for all characters of Z*. Their algorithms, however, make explicit 
use of the complex vàlues taken by the character, whereas thc algorithms wc present here depend only on thc 
symmctries of the undcrlying function /; in particular, in our case / can bc an arbitrary injective function 
from a multiplicativc character into a set S. On the other hand, their algorithms are efhcient for characters 
of any order, whilc our algorithms require that r be at most polylogarithmic in p. 

Returning to the general problem defined above, let T{1i vi S) denote the collection of 5-valued functions 
on Z p . Note that the affine group A p acts on the set F(Wi p ,S) by assigning a ■ g(x) = g{a~ 1 {x)) for each 
a G A p and g G F(Z p , S). In particular, f s = (1, s) ■ f. 
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Now note that the isotropy subgroup of /, namely the subgroup of A p that fixes the cosets of M, is 
precisely H a — ((a, 0)) where a G Z* has order q = (p— l)/r. As we have f s = (1, s) •/, the isotropy subgroup 
of f s is the conjugate subgroup H% = (1, s) ■ H a ■ (1, — s). Obscrve now that if we define F s : A p — ► (Z p ) p so 
that F s (a) is the p-tuple (af s (0), af s (í), . . . , af s (p — 1)) then 

(6) F s (a)=F s (/3)^a- 1 /?e^a , 

i.c., is constant precisely on the left cosets of íf*. Evidently, then, the solution to the hidden conjugate 
problcm given by the oracle F s determines the solution to the hidden shift problem given by f s . Unfor- 
tunately, the vàlues of the oracle F s are of exponential size — we cannot afford to evaluate af s (x) for all 
x G Z p . This same symmetries expressed in Equation (6), however, can be obtained efficiently by selecting 
an appropriate subset R = {x\, . . . , x m } C Z p and considering the oracle that samples af s on R: that is, 

F ?( a ) = ( a fs{xi), ■ ■ ■ ,af s (x m )) . 

Of course, we have af s = (3f s => F s R (a) = F^(f3) regardless of R; the difficulty is finding a small set R for 
which Fg(a) = Fg(j3) => af s = (3f s . We show below that a set of O(logp) elements selected uniformly at 
random from Z, p has this property with high probability. 

Considering that af s (x) = a ■ (1, s) ■ f(x), it suffices to show that if af ^ (3f then 

Pv[af(x) = pf(x)] < 1/2 , 

X 

where x is selected uniformly at random in Z„. Note that for affinc functions a and f3 and an element x € Z p 
for which /T 1 ^) ^ 0, 

af(x) = Pf(x) & e M . 

The function a' 1 {x) / f3~ l {x) is a fractional linear transform, i.e., the ratio of two linear functions; these is 
the discrete analog of a Mobius transformation in the complex planc. As in the complex case, the fractional 
linear transform j(x)/S(x) is a bijection on the projective space Z p U {oo} unlcss 7 and S share a root, 
or, equivalently, there is a sealar z £ Z* such that 7(2;) = zS(x). If a~ l (x) / (3~ l (x) is injective, we can 
immediately conclude that 

Pv[af(x) = /?/(*)] < |M|/(p - 1) = 1/r < 1/2 . 

X 

Otherwise, a~ 1 (x)//3~ 1 (x) = z for some sealar z. Sincc af ^ /?/, however, in this case we must have 
z G Z* \ M. In particular, /(zy) 7^ /(y) for any j/^ 0, and so 

Pr[a/(x) = /3/(x)] = í/p 

X 

since this only oceurs at the unique root x of a _1 (x) = 0. 

In either case, then, af and (3f differ on at least half the elements of Z p whenever a and (3 belong to 
different cosets of H^. It follows that if R C Z p consists of m elements chosen independently and uniformly 
at random from Z p , we have 

Pr [Vx G R, af(x) = pf(x)] < l/2 m 
for any a, (3 G A p with a~ l (3 ^ H a . Taking a union bound over all pairs of left cosets of H a , 

P^[3a,/3€A p :a- 1 p^H a yx€R,af(x)=^)]<(^j^) ^ ■ 

Selecting m = 51ogp ensures that this probability is less than 1/p. 

Since we showed in Section 3 that we can identify a hidden conjugate of H a whenever H a is of polylog- 
arithmic index in Z*, and since this index is (p — l)/q = r, this provides an efficient solution to the hidden 
shift problem so long as r = polylog(p). 



15 



8 Closure under extending small groups 



In this scction wc show that for any polynomial-size group K and any H for which we can solve the HSP, we 
can also solve the HSP for any extension oi K by H, i.e., any group G with K <G and G/K = H. (Note that 
this is more general than split extensions, i.e., semidirect products H k K.) This includes the case discussed 
in [13] of Hamiltonian groups, since all such groups are direct products (and hence extensions) by abelian 
groups of the quaternion group <5s [23] . It also includes the case discussed in [7] of groups with commutator 
subgroups of polynomial size, such as extra-special p-groups, since in that case K = G' and H = G/G' is 
abelian. Indeed, our proof is an easy generalization of that in [7]. 

Theorem 7. Let H be a group for which hidden subgroups are fully reconstructible, and K a group of 
polynomial size in log \ H\. Then hidden subgroups in any extension of K by H , i.e., any group G with K <\G 
and G/K = H , are fully reconstructible. 

Proof. We assume that G and K are encoded in such a way that multiplication can be carried out in classical 
polynomial time. We fix some transversal t(h) of the left cosets of K. First, note that any subgroup L Ç G 
can be described in terms of i) its intersection L n K, ii) its projection Lh = L/(L n K) Ç H, and iii) a 
representative n(h) £ L D (t(h) ■ K) for each h £ Lh ■ Then each element of Lh is associated with some left 
coset of L n K, i.e., L = {J heLíl n(h) ■ (L n K). Moreover, if S is a set of generators for L D K and T is a set 
of generators for Lh, then S U n(T) is a set of generators for L. 

We can reconstruct S in classical polynomial time simply by qucrying the function h on all of K . Then 
L n K is the set of all k such that f(k) = /(l), and we construct S by adding elements of L n K to it one 
at a time until they generate all of L n K. 

To identify Lh , as in [7] we define a new function /' on H consisting of the unordered collection of the 
vàlues of / on the corresponding left coset of K : 

f(h) = {f(g) | g e t(h) ■ K}. 

Each query to /' consists of \K\ = poly(n) queries to /. The level sets of /' are clearly the cosets of Lh, so 
we reconstruct Lh by solving the HSP on H. This yields a set T of generators for Lh- 

It remains to frnd a representative n(h) in L n (t(h) ■ K) for each h £ T. We simply query f(g) for all 
g £ t(h) ■ K, and set n{h) to any g such that f(g) — /(l). Since \T\ — 0(\og \H\) = poly(n) this can be done 
in polynomial time, completing the proof. □ 

Unfortunately, we cannot iterate this construction more than a constant number of times, since doing so 
would require a superpolynomial number of queries to / for each query of /'. If K has superpolynomial size 
it is not clear how to obtain rj(h), even when H has only two elements. Indeed, this is precisely the difhculty 
with the dihedral group. 

9 Conclusion and directions for further work 

Wc have shown that the "strong Standard method," applicd with adapted bases, solves in quantum polyno- 
mial time certain nonabelian Hidden Subgroup Problcms that are not solved with any other known techniquc, 
spccifically mcasurements in random bases or "forgetful" abelian approaches. 

Whilc wc arc still very far from an algorithm for HSP in the symmetric group S n or for Graph Automor- 
phism, a global understanding of the power of strong Fourier sampling remains an important goal. Pcrhaps 
the next class of groups to try beyond the affine and ç-hedral groups are matrix groups such as PSL2(j>), 
whosc maximal subgroups are isomorphic to A p , and which include one of the infinite familics of finitc simple 
groups. 
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A Notes on exponential sums 

The bàsic Gauss sum bounds the inner produets of additive and multiplicative characters of F p , the finite 
ficld of prime cardinality p. Definitivc treatments appear in [20, §5] and [17]. Considering ¥ p as an additive 
group with p elements, we have p additive characters Xs ■ F p — > C, for seF p , given by Xs ■ z i— > Lj p z , where, 
as above, lj p = e 27 ™^ is a primitive pth root of unity. Likewisc considering the clements of F* = ¥. p \ {0} as 
a multiplicative group, we have p — 1 characters ip t '■ F* — > C, for t G F*, given by ip t : g z i— > u) t p z _ 11 where 
primitive (p — l)th root of unity and g is a multiplicative generator for the (eyelic) 

group F*. 

With this notation the bàsic Gauss sum is the following: 

Theorem 8. Let Xs be an additive character and ip t o, multiplicative character of¥ p . J/s ^ and t =/= 1 
then 

| Yl Xs(z)ipt(z) = Vp- 

Otherwise 

(p 1 ifs = 0,t=l, 

xbWM*) = i -i ifs = 0,t^l, 

zeF ; lo ifs^o,t = i. 
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See [20, §5.11] for a proof. 

This bàsic result has been spectacularly generalized. In the body of the paper we require bounds on 
additivc characters taken over multiplicative subgroups of F*. Such sums are discussed in detail in [17]. The 
specific bound we require is the following. 

Theorem 9. Let \t be a nontrivial additive character of¥ p and a £ F* an element of multiplicative order 
q. Then 



See [17, §2] for a proof. 

Note that in the body of the paper, we use Z p to denote the additive group of integers modulo p and Z* 
to denote the multiplicative group of integers modulo p. 
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